FTBFS if "-Werror=format-security" flag is used
Ralf Corsepius
rc040203 at freenet.de
Fri Dec 6 14:21:07 UTC 2013
On 12/06/2013 02:07 PM, Przemek Klosowski wrote:
> On 12/05/2013 08:27 PM, Kevin Kofler wrote:
>> The vast majority of those warnings are actually false positives, not actual
>> security issues. Putting my upstream hat on, if asked to "fix" such a false
>> positive, I'd do one of:
>> (a) close the bug as INVALID/NOTABUG/WONTFIX or
>> (b) hardcode -Wno-error=format-security -Wno-format-security in my build
>> setup and close the bug as FIXED.
> They are potential security issues, because ignoring them (especially
> via (b)) sets everyone up for a fail.
In case these errors are bogus?
> For instance, today it may be a constant format string, but tomorrow
> someone will introduce it as a settable configuration parameter.
>
> Given that pretty much all those cases can be solved by either "%s" or
== Forcing C-coders to using a special coding style to silence a broken
tools warning on what is legitimate and correct code?
printf(string) is legitimate C, forcing "printf("%s", string) is just silly.
Ralf
More information about the devel
mailing list